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Abstract. We define three hard problems in the theory of elliptic di- 
visibility sequences (EDS Association, EDS Residue and EDS Discrete 
Log), each of which is solvable in sub-exponential time if and only if the 
elliptic curve discrete logarithm problem is solvable in sub-exponential 
time. We also relate the problem of EDS Association to the Tate pairing 
and the MOV, Frey-Riick and Shipsey EDS attacks on the elliptic curve 
discrete logarithm problem in the cases where these apply. 



1 Introduction 

The security of elliptic curve cryptography rests on the assumption that the 
elliptic curve discrete logarithm problem is hard. 

Problem 1 (Elliptic Curve Discrete Logarithm Problem (ECDLP)). Let E be an 
elliptic curve over a finite field K. Suppose there are points P, Q <E E(K) given 
such that Q 6 (P). Determine k such that Q = [k]P. 

In this article, we explore several related hard problems with a view to ex- 
panding the theoretical foundations of the security of ECDLP as a hard problem. 
Our research is inspired by work of Rachel Shipsey in her thesis [1] , relating the 
ECDLP to elliptic divisibility sequences (EDS). An elliptic divisibility sequence 
is a recurrence sequence W(n) satisfying the relation 

W(n + m)W(n -m) = W(n + l)W(n - l)W(m) 2 - W(m + l)W(m - l)W(n) 2 . 

We relate Shipsey's work to the MOV and Frey-Riick attacks and explain their 
limitations from the EDS point of view. We also point to a specific avenue for 
attacking ECDLP by analysing the quadratic residuosity of elliptic divisibility 
sequences. 

The study of elliptic divisibility sequences was introduced by Morgan Ward 
[2]. Let denote the n-th division polynomial of an elliptic curve E over the 
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rationals. The sequence We,p ■ Z — > Q of the form W_E ; p(n) = & n {P) f° r some 
fixed point P G E(Q) is an elliptic divisibility sequence, and Ward showed that 
almost all elliptic divisibility sequences arise in this way. This relationship is the 
basis of our work here. 

The general theory has been developed by Swart [3], Ayad [4], Silverman 
[5] [6], Everest, McLaren and Thomas Ward [7] and, more recently, generalised 
to higher rank elliptic nets by Stange [8] [9]. For an overview of research, see [10]. 
Sections 2 and 3 provide brief background on elliptic divisibility sequences and 
elliptic nets, more information about which can be found in [8] [9] [11]. 

The hard problems for elliptic divisibility sequences we consider are: 

Problem 2 (EDS Association). Let E be an elliptic curve over a finite field K. 
Suppose there are points P,Q £ E(K) given such that Q E (P), Q ^ 0, and 
ord(P) > 4. Determine W E ,p(k) for < k < ord(P) such that Q = [k]P. 

Problem 3 (EDS Residue). Let E be an elliptic curve over a finite field K . Sup- 
pose there are points P,Q 6 E(K) given such that Q e (P), Q ^ 0, and 
ord(P) > 4. Determine the quadratic residuosity of WE,p(k) for < k < ord(P) 
such that Q = [k}P. 

Problem 4 (Width s EDS Discrete Log). Given an elliptic divisibility sequence 
W and terms W(k), W(k + 1), . . ., W(k + s - 1), determine k. 

Problem 4 was considered by Shipsey [1, §6.3.1] and Gosper, Orman and 
Schroeppel [12, §3]. Problem 2 is also implicit in [1, §6.4.1] and [12, §3]. 

A perfectly periodic elliptic divisibility sequence is one which has a finite 
period n and whose first positive index k at which W(k) — is k — n. If a 
sequence is not perfectly periodic, then it has period n > k. In Section 10, we 
prove the following theorem. 

Theorem 1. Let E be an elliptic curve over a finite field K = ¥ q of charac- 
teristic 2. If any one of the following problems is solvable in sub- exponential 
time, then all of them are: 

1. Problem 1: ECDLP 

2. Problem 2: EDS Association for non-perfectly periodic sequences 

3. Problem 3: EDS Residue for non-perfectly periodic sequences 

4- Problem 4 (s = 3): Width 3 EDS Discrete Log for perfectly periodic sequences 

Section 4 relates Problems 4 and 2 to the ECDLP. Section 6 expands on 
Problem 2. Sections 7 and 8 discuss Problem 3. Section 9 remarks on Problem 
4. Section 10 proves Theorem 1. The relation with the MOV and Frey-Riick 
attacks is discussed in Section 5. 

The authors would like to thank the referees for their helpful suggestions. 



2 Background on Elliptic Nets 

In this section we state the background definitions and results on elliptic divis- 
ibility sequences and elliptic nets that are needed for the rest of the paper. For 
details and examples, see [8] [9] [11]. 

Definition 1 (Stange [8, Def. 2.1] [9, Def. 3.1.1]). Let K be afield, n>0 
and integer. An elliptic net is any map W : Z™ — > K such that the following 
recurrence holds for all p, q, r, s e Z™ : 

W(p + q + s) W(p - q) W(r + s) W{r) 

+ W(q + r + s) W(q - r) W(p + s) W(p) 

+ W(r + p + s) W(r - p) W(q + s) W(q) = (1) 

We refer to n as the rank of the elliptic net. An elliptic net of rank one is called 
an elliptic divisibility sequence. 

One always has W{— v) = — W{w) and W(0) = 0, and a restriction of an 
elliptic net to a sublattice of Z™ is again an elliptic net. The important fact for 
our purposes is that any elliptic curve E over K and points Pi, . . . , P„ G E(K) 
gives rise to a unique elliptic net WE,p x ,...,p n : Z™ — > K. The principal theorem 
is as follows. 

Theorem 2 (Stange [8, Thm. 6.1] [9, Thm. 7.1.1]). Letn>0 be an integer. 
Let 

E : f(x, y) = y 2 + a\xy + a^y — x 3 — ct2X 2 — ct^x — ctg = 

be an elliptic curve defined over a field K . Let e^ be the i th standard basis vector. 
For all v£Z", there are functions : E n — > K in the ring 

Z[a 1 ,a 2 ,a 3 ,a i ,a 6 ][x l ,y l ]' l l =1 [(x t - x^ 1 ] !< i<:( -<„/ (/(ai,2/»))" =1 C K(E), 

such that 

1. W(v) = ^ satisfies the recurrence (1). 

2. = 1 whenever v = e^ for some 1 < i < n or v = ej + for some 
1 < « < j < n - 

3. !?v vanishes at P = (Pi , . . . , P n ) e E n if and only if v • P = on E ( and v 
is not one of the vectors specified in 2). 

In the case of rank n — 1, the \P V are the familiar division polynomials of an 
elliptic curve [13, p. 105]. Since the <? v satisfy the elliptic net recurrence (1), we 
may make the following definition. 

Definition 2 (Stange [8, Def. 6.1] [9, Def. 7.2.1]). For any elliptic curve 
E defined over K and non-zero points Pi, . . . , P n G E(K) such that no two are 
equal or inverses (or, if n = 1, Pi is not a 2- or 3-torsion point), the map 
W E ,p u ...,p n ■ Z" K defined by 

W E ,p u ... iPn (v)=* v (P u ...,P n ) 

is an elliptic net called the elliptic net associated to E,P\, . . . ,P n . 



Nearly all elliptic nets arise in this way (see [8] [9]). For the remainder of this 
article, any elliptic net or elliptic divisibility sequence will be assumed to have 
this form. 

Elliptic nets or elliptic divisibility sequences are arrays or sequences of values 
of K. The zeroes in this array are particularly important. 

Definition 3. The zeroes of an elliptic divisibility sequence or elliptic net appear 
as a sublattice of the lattice of indices. We call this sublattice the lattice of 
zero-apparition. In the case of a sequence, this sublattice is specified by a single 
positive integer - the smallest positive index of a vanishing term - and this 
number is called the rank of zero-apparition. 

The rank of zero-apparition of an elliptic divisibility sequence associated to 
a point P will equal the order of the point P. In the case of an array associated 
to points Pi, . . . , P„, the zeroes (v\, . . . , v n ) correspond to linear combinations 
v • P that vanish. 

Suppose T : 7L S — > Z* is a Z-linear transformation. The following theorem 
relates the elliptic net associated to P G E s to that associated to T(P) G E l . 

Theorem 3 (Stange [8, Prop. 5.6] [9, Thm. 6.2.3]). Let T be any t x s 

integral matrix. Let P G E s and v G Z* . Then 

W E , F (T tr (v)) = W E . T(P) (v) 
t 

x{]^p(T tr (e,))^"'( E #'^ J] W^pC^^+e,))^ (2) 

i=l l<i<j<t 

This has several useful corollaries. For proofs see the cited references. 

Theorem 4 (Ward [2, Thm. 8.1], Stange [9, Thm. 10.2.3] [14]). Suppose 
that We,p(iti) = 0. Then for all I,t)gZ, we have 

W E ,p( lm + v) = W E ,p{v)a vl b f 

where 

W E , P (m + 2) b _ W E ,p(m+l) 2 W E ,p{2) 

Wj S ,p(m+l)Wi s ,p(2)' T4^,p(m + 2) 

Furthermore, a m = b 2 . Therefore, there exists an a G K , the algebraic closure 
of K, such that a 2 = a and a m = b, and so 

W E , P (lm + v) =W EtP (v)a ( - lm+v ^- v2 . 

Theorem 5 (Stange [9, Thm. 10.2.3] [14]). Suppose r = (n,r 2 ) G Z 2 is 
such that 

We,p,q{*) = 0. For I G Z and v = (^1,^2) G Z 2 we have 
W e ,p,q{It + v) = W E , PtQ (v)a l ^b l ^c 12 

where 

W(n +2,r 2 ) W(n,r 2 + 2) _ W(r 1 + l,r 2 + l) 

ar ~ W(n + 1,^(2,0)' r ~ W (run + 1)W(0,2)' ° r ~ a r b r W(l,l) ' 



3 Perfectly Periodic Sequences and Nets 



Definition 4. An elliptic divisibility sequence is called perfectly periodic if it 
is periodic with respect to its rank of zero- apparition. An elliptic net is called 
perfectly periodic if it is periodic with respect to its lattice of zero- apparition. 

Definition 5. Let f : Z™ — > K* be a quadratic function, and k G K* a constant. 
Two elliptic nets W and W are called equivalent if W'(v) = kf(v)W(v). 

As an example, let W be an elliptic divisibility sequence with rank of zero- 
apparition m. In one variable (n = 1), quadratic functions to K* have the form 
f(n) — a n for some a G K* . Suppose we use a as defined by Theorem 4, i.e. 
a 2 = a,a m = b, and let take k — a -1 . Then W'{n) = a n ~ 1 W(n), and this 
sequence is perfectly periodic. Suppose that K = ¥ q and gcd(q — l,m) = 1. In 
this case the conditions of Theorem 4 determine such an a uniquely, and it lies in 
K. Otherwise (if gcd(q — 1, m) ^ 1), two such a's will exist, equal up to sign. The 
two resulting perfectly periodic sequences will be equal at even-indexed locations 
and equal up to sign at odd-indexed locations. 

The moral of the last paragraph is that any elliptic divisibility sequence is 
equivalent to a perfectly periodic one. We can give an explicit expression for 
such a perfectly periodic sequence. 

Theorem 6. Let K be a finite field of q elements, and E an elliptic curve defined 
over K. For all points P G E of order relatively prime to q — 1 and greater than 
3, define 



0(P) = W(9-l + °ni(P))J P) 
For a point P of order relatively prime to q — 1 and greater than 3, the sequence 
<j)([n]P) is a perfectly periodic elliptic divisibility sequence equivalent to We,p(ti). 
Specifically, 

<j>{[n]P) - <f>{Pr 2 - l W E , P {n). (4) 

More generally, let P G E(K) n be a collection of nonzero points, no two equal 
or inverses, and all elements of a single cyclic group and having order greater 
than 3. The n-array <ft(v • P) (as v ranges over forms a perfectly periodic 
elliptic net equivalent to We,p(v). Specifically, 

n 

^•p)=%(v)n^,^"'^-^ n 4>{Pi+pj) vivi - 

i—l l<i<j<n 

Proof. The proof uses Theorem 3. We will demonstrate the method of proof in 
the rank one case before proceeding to the general case. Take T = (I), so 

W E>vl p(n)WE,p(l) n ' = WeA^I)- 

By symmetry, 

W EMP {l)WEAnf = W E ,p(nl). 



Let m = ord(P). Thus, combining the above and using I = q — 1 and q — 1 
in turn, 

M/gp(g _ 1) „ 2 = ^,[,-i]pW = W^ ita _ 1+m]P (n) 

_ W Bi[n]P (g - 1 + m)W E . P {n) {q - 1+mf 



W E ,p(q - 1 + to)™ 

Rearranging, 

0([n]P) = ^(P)" 2 " '%(«). 
Therefore, 0([n]P) is an elliptic divisibility sequence. By definition, cp([n]P) has 
period ord(P) which is equal to the rank of apparition of We,p and (f>([n]P). So 
<p([n]P) is perfectly periodic. 

For the rank n case, let m be the order of the cyclic group containing all 
the points under consideration. In Theorem 3, let t = 1 and s = n and take 
T = (yi v 2 v 3 ■ ■ ■ v n ) to obtain 

W E , P {lv) = W e , v .p(0W s ,p(v)' 2 . 
Now take t = s = n in Theorem 3 , and T — lld n to obtain 

n 

W E , P (lv)=W E>lP (v)l[W E , P (le i yl- Vi ^ v ^ J] ^P^ + ^e,)^. 

z— 1 l<i<j<n 

Note that 

Wk, P (/ ei ) = W s , Pi (0, Wjs.ptfej + lej) = Wb.p.+p^O- 
Combining the above, we have 



Comparing this in the case of I = q — 1 and I = q — 1 + m gives the required 
result, as before. 

In light of this theorem we will use the convenient notation 

We An) = 4>{{n]P). 

and call this the perfectly periodic elliptic divisibility sequence associated to E 
and P. The attractive property of a perfectly periodic sequence is formula (3): 
WeA 71 ) can ^ e calculated as a function of the point [n]P on the curve without 
knowledge of n. 

Corollary 1. Suppose that E is an elliptic curve over a field K = ¥ q and 
P E E(K) is of order m > 4. The period of the sequence We,p is m ordx* (0(P)) • 

Proof. First, </>([n]P) has period exactly m. Since, if the period were m! < m, 
then W E ,p(m') = 0, a contradiction. The result now follows from equation (4). 

The ratio between the period and the rank of zero-apparition, which we've 
demonstrated to be ord«-« (0(P)), is called r by Morgan Ward [2, Thm. 11.1]. 



4 The Hard Problems 



As we have seen, elliptic nets are closely related to the points on an elliptic 
curve. In this section, we will see specifically how to compute them, and how 
they relate, algorithmically, to the points. 

The choice of segment < k < ord(P) is not crucial in Problem 2 (EDS As- 
sociation): it could be restated for any segment i ord(P) < k < (i + 1) ord(P). 
This problem is trivial for a perfectly periodic sequence or net (since W{k) = 
4>(Q) is computable in log q time). For the non-perfectly periodic case, the prob- 
lem appears to be much harder. As for Problem 4 (EDS Discrete Log), on the 
other hand, for non-pcrfcctly periodic elliptic divisibility sequences, it can be 
solved by computing an F* discrete log. For this problem, it is the case of per- 
fect periodicity that seems very difficult. 

We will see that these hard problems are related according to the following 
diagram. 




We demonstrate the complexity of solving the problems associated to the 
solid lines in the following series of theorems. The solid line labelled F*DLP has 
the complexity of a discrete logarithm problem in F* (this is sub-exponential by 
index calculus). No sub-exponential algorithms are known for the dotted lines. 

Since our concern is polynomial time vs. non-polynomial time, in the follow- 
ing we assume naive arithmetic in ¥ q , i.e. we bound the time to do basic ¥ q 
operations by 0((\ogq) 2 ) for simplicity. 

Lemma 1. Let E be an elliptic curve defined over K , and P € E(K) be a point 
of order not less than 4. The x-coordinate of [n]P, x([n]P), can be calculated in 
0((\ogq) 2 ) time from the three terms WE,p(n — 1), We,p(ti), and WE,p(n + 1) 
or from the three terms We,p{u — 1), We,p(ti), and We,p{u + 1). 



Proof. See [9, Lemma 6.2.2] for the following identity: 



'""y -^-'wn c> 

The left-hand side of (5) is invariant under equivalence, and so the same calcu- 
lation applies if we put tilde's on the W's. 

Theorem 7 (Shipsey [1, Thm 3.4.1]). Let E be an elliptic curve over K, 
and P G E(K) a point of order not less than 4. Given a value t, the term 
W E ,p(t) in the elliptic divisibility sequence associated to E,P can be calculated 
in 0((logt)(log<7) 2 ) time. 

Proof. For completeness, we give a simplified version of Shipsey's algorithm here. 
Following Shipsey, denote by (W E .p(k)) the segment or block centred at k of eight 
terms W E ,p{k-3), W E:P (k-2), . . ., W E ,p{k + 3), W E . P (k + 4) of the sequence. 
The block centred at t can be calculated from the block centred at 1 via a double- 
and-add algorithm based on an addition chain for t. The calculation of the new 
block from the previous depends on two instances of the recurrence (one such 
calculation for each term of the new block): 

W(2i -1,0) = W(i + 1, 0)W(i - 1, 0) 3 - W(i - 2, 0)W(i, 0) 3 , 
W(2i, 0) = (W(i, 0)W(i + 2, 0)W(i - 1, 0) 2 

-W(i, 0)W(i - 2, 0)W(i + 1, 0) 2 ) /W(2, 0) . 

To begin we must calculate the block centred at 1. Recalling that W(0) = 0, 
W(l) = 1 and W(— n) = —W(n), we must calculate W(i) for i = 2,3,4. Precise 
formulae in terms of the coordinates of P and the Weierstrass coefficients for 
E can be found in [13, p. 105] or for long Weierstrass equations in [15, p. 80]. 
This algorithm takes O(logt) steps, each of which involves a fixed number of F* 
multiplications and additions, which take (^((logq) 2 ) time at worst. 

Theorem 8. Let E be an elliptic curve over ¥ q , and P G E(¥ q ) a point of 
order relatively prime to q — 1 and greater than 3. Given a point Q — [k]P, the 
term 4>{Q) — W E ^p(k) can be calculated in 0((logq) 3 ) time without requiring 
knowledge of k. 

Proof. We use equation (3). Using Theorem 7 to calculate the ratio of terms 
inside the parentheses takes log(q— 1 + ord(Q)) +log(<7— 1) steps. Since ord(Q) is 
on the order of q, this is 0((log q) 3 ) time at worst. The other necessary operation 
in (3) is to find the inverse of ord(Q) 2 modulo q—1, and to raise to that exponent. 
Both these are also O(logg) operations. 

Theorem 9. Let E be an elliptic curve over¥ q , and P G E(¥ q ) a point of order 
relatively prime to q—1 and greater than 3. Given the W E ^p{k), W Et p(k + l) and 
W Et p(k + 2), the point Q = [k]P can be calculated in probabilistic 0((logg) 4 ) 
time without requiring knowledge of k. 



Proof. Calculate x([k + 1]P) by Lemma 1. We can calculate the corresponding 
possible values for y in probabilistic time 0((logg) 4 ) [16, §7.1-2]. To determine 
which of the two points with this rc-coordinate is actually [£;+l]P, first take one of 
the two candidate points, and proceed on the assumption that it is [fc+l]P. Using 
the addition formula for elliptic curves, calculate x([k + 1]P + P) = x([k + 2]P). 
Compare this with (5) to determine W{k + 3). Also determine W(k + 4) in this 
manner. Then, if the terms W(k), . . . , W(k + 4) satisfy the recurrence instance 

W(k + 4)W(k) = W(k + l)W(k + 3)W(2) 2 - W(3)W(l)W(k + 2) 2 , 

our assumption about the point we chose is correct. If this recurrence does not 
hold, then the point we chose was incorrect, and the other one is the point 
[k + 1]P we seek. For, it is impossible that both points cause the above equation 
to be satisfied: any sequence of four consecutive terms in an elliptic divisibility 
sequence determines the entire sequence uniquely. Finally, knowing [k+ l]P, we 
can calculate Q = [k]P = [k + 1]P - P. 

The following theorem is implicit in the work of Shipsey; see Section 5.2 for 
an explanation. 

Theorem 10. Suppose P has order relatively prime to q — 1 and greater than 3, 
and (j)(P) is a primitive root inW*. Given WE,p(k),WE,p(k + l),WE,p{k + 2), 
where it can be assumed that < k < ord(P), calculating k can be reduced to a 
single discrete logarithm in F* in probabilistic 0((log<7) 4 ) time. 

Proof. We can deduce the x-coordinate of the point Q = [k]P by Lemma 1. 
Compute the two corresponding ^/-coordinates, which takes probabilistic time 
0((log<7) 4 ) [16, §7.1-2]. Choosing one of the two possible y-coordinates, we have 
cither Q = [k]P or Q = [— k]P. To determine which is correct, use the trick of 
the proof of Theorem 9. Suppose it is the former; then, from Theorem 6, we have 

0([fc + l]P) _ ( . 2k+1 W E , P (k + l) ^ 
4>([k]P) n ' W E , P (k) ' { 1 

So k satisfies an equation of the form A = B 2k+1 where A and B are known, and 
B has order q — 1 by assumption. Therefore, we are reduced to solving a discrete 
logarithm of the form A = B x for < x < q — 1, with the understanding that k 
will be one of (x — l)/2 or (x + q — l)/2. (In fact, if q — 1 < m, there may be at 
most two other possible values of k to check: the above values shifted by q — 1.) 

Remark 1. Let m = ord(P). Suppose that gcd(m, q — 1) = 1. As an integer k 
ranges over representatives of a single coset in Z/mZ, it ranges over all possible 
cosets of Z/(<7 — 1)Z. Therefore, we cannot expect to find the set of k such that 
Q = [k}P (i.e. a coset in Z/mZ) by solving an equation of the form A = B k in F* 
(i.e. solving modulo q — 1). One solution to this problem is to attempt to solve 
for an integer k (instead of a coset) - say, for example, the smallest non-negative 
k with Q = [k]P. This is in essence what the preceeding theorem does. With 
this in mind, we set some terminology. 



Definition 6. Let Q be a multiple of P on an elliptic curve E. The minimal 
multiplier of Q with respect to P is the smallest non-negative value of k such 
that Q = [k]P. 

Note that the minimal multiplier satisfies < k < ord(P). 

5 F* Discrete Logarithm, The Tate Pairing and 
MOV/Frey-Riick Attack 

Theorem 10 uses terms of the elliptic divisibility sequence to give a discrete 
logarithm problem in F*. We demonstrate some variations on this theme, and 
relate these types of equations to the Tate pairing, and to an ECDLP attack 
given by Shipsey [1] . 

5.1 An F* DLP equation of the form A — B k from periodicity 
properties 

The F* DLP equations we consider are consequences of Theorem 3, but many can 
be conveniently understood in terms of its corollary Theorem 5. The following 
example involves the terms WE,p(k) and WE,p(k + 1), and requires knowledge 
of Q = [k]P. The following diagram is suggestive for the discussion. 



<> 
« 
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o 
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In this picture of Z 2 , u = (—3,1), s = (5,0) and t = (0,5). Vectors u and s 
generate the lattice of zero-apparition A for some elliptic net W associated to 
points P and Q = [3]P of order 5. The vector t is also in A. One coset of 1? 
modulo A is shown as the solid discs. 

Theorem 5 shows the transformation relative to translation by a vector r € A: 
it relates W(v + r) to W(v) for each v. This Lemma can be applied repeatedly, 
and different 'paths' from one point to another must agree. In the picture above, 
the translation property which relates W(v+(— 15, 5)) to T / l /r (v) can be calculated 
by applying the transformation associated to u five times (the diagonal path) 
or by applying the transformation associated to — s three times followed by that 
associated to t once (the sides of the triangle) . 

In the general case, we have Q = [k]P. Then the lattice of zero-apparition 
A for W — We,p,q includes vectors u = (— k, 1), s = (m, 0) and t = (0, m). 




Suppose r = (ri,r 2 ) is an element of A for W — We,p,q- By Theorem 5, we 
have for all I € Z and v e Z 2 , 

W(lr + v) = ^(v)^" 1 b l r V2 cf (7) 

where 

W(n+2,r 2 ) W(n,r 2 + 2) _ W{r x + l,r 2 + l) 

° r ~ W(n + l,r 2 )W(2,0Y r ~ W(ri,r2 + l)W(0,2)' Cr ~ a r 6 r W(l,l) ' 

We expect appropriate relationships between a u , 6 U , c u , a s , b a , etc. The F* 
DLP equation we seek is one such relationship. We have 

W(m + 2,0) W(2,m) W(2 - k, 1) 

fl s — TT77 , -i n M„/ n A \ i a * — 7777; 7777777777! a u — 



W{m + 1,0)W(2,0)' W(l,m)W(2,0)' u W(l - k, 1)W(2, 0) ' 
For each i £ Z, we apply (7) to obtain 

W(-*jfe + l,i-l)W(0,-l) _ i 



W(l,-l)W(-ik,i-l) 
Set i = min (8), and apply (7) four times: 
W(-mk + 1, to - 1)W(0, -1) 



(8) 



a„ = 



W(l,-l)W(-mfc,m- 1) 

/ W(-mk+l,m-l) \ ( W(-mk+l-l) \ ( W(0-l) \ ( W(-mk-l) \ 
~ \ W(-mfc+l,-l) ) \ W(l,-1) J ^lV(-mfe,-l) J ^W(-rofc,m-l) J 

^V^stj _ -fc 

Setting i = 1 in (8), we obtain an expression 

W(-k + 1, 0)VK(0, -1) _ W b ,p(/c - 1) 



a,, = 



W(l,-l)W(-fe,0) 
which, when substituted into the last calculation, yields 

fW(m + l,0)VF(2,0)\ fe fW E ,p(k-l)\ m f W{l,m)W{2,0) 



V W(m + 2,0) / V W E ,p(k) J V W(2,to)W(1,-1) 



5.2 An F* DLP equation from Shipsey's Thesis 



(9) 



The possibility of such an equation was observed by Rachel Shipsey in her thesis 
[1, (6.3)]. She uses one-dimensional periodicity properties to derive the following 
equation: 

w E A(m + i)k)w E Ak + i) - WE ^ m + 1 ^ ^ 



Shipscy then argues that without knowledge of k the left hand side can be 
calculated up to a factor of 



W E , P (k) \ m{rn+2) 



w E , P ( k - 1) 



This is very much of the same spirit as equation (9), and in fact, Theorem 3 can 
be used to rewrite (10) in this form: 

W E ,p,Q(0,m+l) V W E ,p{k) J 

By Lemma 1, knowledge of Q, W E> p(k), W E> p(k — 1) determines W Et p(k + 1), 
and so this is very much equivalent to Shipsey's analysis. Note that the unknown 
terms in (11) arc raised to the exponent m + 2. At first blush, this may appear 
to lead to an ECDLP attack for q — 1 = m + 2 (where the unknown terms will 
disappear). However, this is not allowed by Remark 1. In fact, it turns out that 
if q — 1 = m + 2, then W Et p(m + 1) = 1 (this eventually follows from Theorem 
3 also). 



5.3 F* DLP equations and the Tate pairing 

Choose meZ + . Let E be an elliptic curve defined over a finite field K containing 
the m-th roots of unity. Suppose P G E(K)[m] and Q G E(K)/mE(K). Since P 
is an m-torsion point, m(P) — m(0) is a principal divisor, say div(/p). Choose 
another divisor Dq defined over K such that Dq ~ (Q) — (0) and with support 
disjoint from div(/p). Then, we may define the Tate pairing 

T m : E{K)[m] x E(K)/mE(K) -► K*/{K*) m 

and Weil pairing 

e m : E(K)[m] x E(K)[m] — > 

by 

T m (P, Q) = fp(D Q ), e m (P, Q) = f P (D Q )f Q (Dp)-\ 

Both are non-degenerate bilinear pairings, while the Weil pairing is alternating. 
For details, see [17] [18]. 

The Tate pairing and Weil pairing are used in the MOV [19] and Frey-Ruck 
[20] attacks on the ECDLP. These use the Weil and Tate pairings, respectively, 
to translate an instance of the ECDLP into an F* DLP equation, where index 
calculus methods may be used. The basic idea, illustrated here for the Tate 
pairing, is that Q = [k]P implies r m (Q, S) = T m (P, S) k by bilinearity. If S can 
be chosen so that r m (P, S) is non-trivial, and if the Tate pairing takes values 
in a manageably small finite field, then index calculus methods can be used 
to determine k. In particular, this attack applies for curves E over ¥ q where 
m = q — 1. 



In (11) and (9), all the terms may be calculated from knowledge of to, P and 
Q except for WE,p(k) and WE.p(k — 1). However, notice that these unknown 
terms are raised to the power to. Therefore, in the case that to = q — 1, no extra 
information is needed and the ECDLP is reduced to an F* DLP; this works in 
exactly the cases that the MOV or Frcy-Ruck attack applies. 

These sorts of 'alternate versions' of the MOV/Frey-Riick attack do have a 
relation to the Tate pairing. 

Theorem 11 (Stange [9, Thm. 17.2.1][11, Thm. 6]). Let E be an elliptic 
curve, to > A, and P G E[m\. Let Q,S £ E be such that S £ {0, Q}. Let W be 
an elliptic net of rank n, associated to points T G E{K) n . Let s,p,q G Z n be 
such that 

P = pT, Q = q • T, S = s-T. 

Let T m : E[m] x E/mE -> K*/(K*) m be the Tate pairing. Then 

_ W(mp + q + s)W(s) 
T m (r,W - Vt /( mp + s ) Vt /( q + s )- 

Now equations (9) and (11) can be re- written as statements in terms of the 
Tate pairing. 

Equation (9): Use Theorem 11 with p = (1,0), q= (-1,0), s = (2,0) for the 
left-hand side and p = (0, l),q = (— 1,0), s = (2,0) for the right. This rewrites 
(9) as 

r m (P,-P) k =T m (Q,-P). 

Equation (11): This is somewhat more complicated. From Theorem 4 with 
to = q — 1 and Theorem 11 with various parameters, 

W E Am + l)r m (P,P) =^ WEAm + 2) ) = b=a - 1 - 



(p n , _ W^,p,q(m+l,l)W^,P,q(l,0) 
r m ^, W WE pQ{m + i, 0)W e ,p,q(1, 1) ' 

VF e ,p,q(1,to+1)VF e , p ,q(0,1) 



r m {Q,P) = 



l = T m (P,0)=T m (P,[m]Q) = 



W e ,p,q (0, to +1)We.p,q (1,1)' 

W E ,p, Q (m + l, to + 1)W e ,p,q(1, 1) 



W E ,p, Q ( m + 1. l)Wk,p,Q(l,m + l) ' 
All of which, taken together, rewrites (11) as 

T m (P,Q)r m (Q,P) = T m (P,P) 2k . 

Equation (4) (with n = k) does not, however, lend itself to this sort of re- 
writing in terms of pairings in the case m = q — 1, as the very definition of <p(P) 
requires the assumption that gcd(m, q — 1) = 1. 



6 ECDLP through EDS Association 



The previous sections have demonstrated that there are a variety of ways to 
translate an ECDLP into an F* DLP. The F* DLP equation is in terms of 
elements of the sequence We,p- For example in (9), the elements are WE,p{k) 
and WE,p(k — 1). The problem of finding these terms (with knowledge of Q = 
[k]P but not k) is EDS Association. In this example, however, it is only their 
quotient that is needed. Depending on the form of the F* DLP equation, different 
information (certain terms or ratios of terms) suffices . We formalise the most 
general statement of this in the following theorem. 

Proposition 1. Fix an elliptic curve E defined over ¥ q , and P G E(¥ q ) of 
order greater than three and relatively prime to q — 1. Suppose 4>{P) has order 
q — 1 in ¥*. With knowledge of any product 

N 

X\W E .p(Mk)Y\ (12) 

i=l 

where the e, G Z, andpi(x) G Z[x] of degree at most D , andt(x) = e iPi( x ) 2 
is a non-constant polynomial of degree at most 2 in Z[x], the value of k can be 
determined in subexponential time in q, with constants depending on D and N. 

Proof. Combine appropriate instances of equation (4) of Theorem 6 in such a 
way that t(k) satisfies an equation in F* of the form A — B l ^ k \ That is, combine 
one instance for each n = Pi(k) with multiplicities given by the respective e,, 
and obtain an equation of the form 

N 

Y[W E ,p(P l (k)) e ' 

i=± = (t(P)-y^ 

f[w E APi(k)r 

i=l 

(Perhaps it is easier to demonstrate this concept by example: suppose that 1 = 
ei = — e2, Pi(k) = k + 1, and P2(k) — k, so that t{k) = 2k + 1, and obtain 
equation (6) (note the product (12) appears on the right side) from combining 
equation (4) for n = pi(k) = k and n = p 2 (k) = k + 1 with multiplicities given 
by ei = 1 and e-i = — 1.) 

The left hand side A includes the known product (12) as well as terms 
of the form <p(\pi(k)]P) , while B = (^{Py 1 ■ The N points \pi(k)]P can each 
be calculated from knowledge of P and Q = [k]P without knowledge of k in 
O(DlogZ)) curve operations. Then the various (p terms can be computed in 
time time <3((logg) 3 ) by Theorem 8. Thus we have computed A and B. 

Solving the discrete logarithm A = for t(k) can be done sub-exponentially 
by index calculus methods. Solving for k from t(k) is sub-exponential [16, §7.1-2]. 

It is evident that the most costly step is the index calculus step, which in 
many cases has run time r(q) — exp(c(logg) 1 / 3 (loglog(7) 2 / 3 ) [21, p. 306]. 



7 ECDLP and Quadratic Residues 



We will show that determining only one bit of information - the residuosity 
- about a term WE,p(k) may suffice to solve the ECDLP. First, we observe a 
hypothetical method of attack for ECDLP. 

Proposition 2. Let P be a point of odd order relatively prime to q — 1. Given an 
oracle which can determine the parity of the minimal multiplier of any non-zero 
point Q in (P) in time 0(T(q)), the elliptic curve discrete logarithm for any 
such Q can be determined in time 0(T(q) logg + (logg) 2 ). 

Proof. Suppose that k is the minimal multiplier of Q with respect to P. The 
basic algorithm is: 

1. If Q = P, stop. 

2. Call the oracle to determine the parity of k. If k is even, find Q' such that 
[2]Q' = Q. If k is odd, find Q' such that [2]Q' = Q - P. 

3. Set Q = Q' and return to step 1. 

In Step 2, since the cyclic group (P) has odd order, there is a unique Q' . It can 
be found in Oilogq) time (see [22] for methods). Furthermore, Q' — [k']P where 

, _ J k/2 k even 

\ (fc - l)/2 fc odd ' 

Then k' is the minimal multiplier for Q' with respect to P. At the end of this 
process, the value of the original k can be deduced from the sequence of steps 
taken. For each even step, record a '0', and for each odd step a '1', writing from 
right to left, and adding a final '1': this will be the binary representation of k. 
The number of steps is log 2 k = O(logg). 

Proposition 3. Fix an elliptic curve E defined over ¥ q of characteristic not 
equal to two, and P g E(W q ) of order greater than three and relatively prime to 
q — 1. Suppose that 4>{P) is a quadratic non-residue. Then, with knowledge of 
the quadratic residuosity of any product of the form 

N 

nw E , P (Pi(k)) ei , (is) 

i=l 

where the ei 6 Z, andpi(x) £Z[i] of degree at most D, andt(x) — SiPi( x ) 2 
is not constant as a function Z/2Z — > Z/2Z, the parity of k can be determined 
in time O (N(D (log D) (log qf + (logg) 3 )). 

Proof. By Theorem 6, the value t(k) satisfies an equation in F* of the form 
A = B*W (exactly as in the proof of Proposition 1). The quadratic residuosity 
of A can be calculated in time 0(iV(L>(log£>)(log(7) 2 + (logq) 3 )) as in the proof 
of Proposition 1. Now, B = (f>(P) is a quadratic non-residue. The parity of t(k) 
can be calculated from these values in constant time (i.e. consider the question 
in K* modulo (K*) 2 ). The parity of k is determined by checking the parity of 
t(0) and t(l). This final step takes time O(D). 



Corollary 2. Let E be an elliptic curve over a field of characteristic not equal 
to two. Let P be a point of odd order such that <f>(P) is a quadratic non-residue, 
and let k be the minimal multiplier of a multiple Q of P. Given P, Q and an or- 
acle which can determine the quadratic residuosity ofWE,p(k) in time 0(T{q)), 
the elliptic curve discrete logarithm for any such Q can be determined in time 



Proof. This follows from Proposition 3 with N = l,ei = l,p\{x) = x and 
Proposition 2. 

A few remarks are in order. 

1. If <j){P) is a quadratic residue, one solution to this obstacle is to replace 
the initial problem of Q = [k]P with the equivalent problem of [n]Q = 
[k]([n]P) for any n such that <p([n]P) is a quadratic non-residue. The se- 
quence We,p{ti) can be calculated term- by-term until such an n is found. 
The existence of such an n is guaranteed when — 1 is a quadratic non-residue 
in W q , in which case <p([m— 1]P) = —<t>{P) suffices. Other cases are less clear. 

2. The condition that the order of P is relatively prime to the even quantity 
q — 1 is required in several ways. First, for the very definition of <f> (Theorem 
6). Furthermore, if the order m of the group (P) is even, multiplication by 2 
is not an automorphism, and so there is no unique 'half of a point (this is the 
same difficulty that prevents this sort of parity attack on an F* discrete log). 
However, if m\(q — 1) is odd, then k satisfies a discrete logarithm equation 
of the form A = B k in the group K* / (K*) m , which has an odd number of 
elements. Therefore, this does not determine the parity of k. 

3. Similarly, if q — 1 is odd (i.e. ¥ q has characteristic 2), then A = B k docs not 
carry information about the parity of k. 



In light of the preceeding section, it is natural to define the problem of EDS 
Residue (Problem 3). In Section 10 we will show that it is equivalent to the el- 
liptic curve discrete logarithm in sub-exponential time. How might one determine 
the quadratic residuosity of WE,p(k)7 Our first observation is that knowledge 
of the residuosity of one term WE,p{k) would determine the residuosity of the 
next term. 

Proposition 4. Suppose Q is a known element of (P), but that its minimal 
multiplier k is unknown. The quadratic residuosity ofWE,p(k + l)/WE,p(k) can 
be calculated in 0((\ogq) 3 ) time. 

Proof. From (4) with n = k and n = k + 1, we have 



0((logq)(T(q) + (logq) :i )). 



8 The EDS Residue Problem 




W g , P (fc + l) 
W E .p(k) 




The calculation of the terms <j>(P) , 4>(Q) , and (j){P + Q) each take 0((logg) 3 ) 
time. 



Therefore, based on knowledge of Q but not k, the sequence 



for n = k, . . . , k + N may be calculated in 0(N \ogq) time. Then the sequence 

'W E An) 



is either S{n) or — S(n). To determine which is to determine the quadratic resid- 
uosity of WE,p{k). 

Therefore, if some bias, or some pattern, for quadratic residues of the elliptic 
divisibility sequence WE,p(n) were known, then the correct choice of the two 
sequences above could be determined. However, as yet we have no evidence to 
suggest that the ratio of quadratic residues among the terms is not 1/2 in general. 



9 ECDLP through EDS Discrete Log in the case of 
Perfect Periodicity 

Problem 4 (EDS Discrete Log) is less unusual in flavour than the other problems 
considered here: general discrete logarithm attacks will apply. Recall the proof 
of Theorem 7, in which blocks centred at k are defined - denote this as B(k). 
From B{k) 1 the recurrence relation can be used to calculate B{2k) or B(2k + 1). 
In fact, Shipsey goes further, and shows how two blocks B(k), B(k') can be 
added to obtain a block B(k + k') in a similarly efficient manner (see [1, p. 
23]). This means that the sequence of blocks B(n) is a sequence along which we 
can move easily by addition and Z-multiplication. Therefore, algorithms such as 
Baby-Step-Giant-Step and Pollard's p can be applied to this problem. 



10 Equivalence of Hard Problems 

Proof (Proof of Theorem 3). (3) =^ (1): Corollary 2. (1) (2): If k is 

known, we can assume < k < ord(P), and then WE,p{k) can be calculated in 
0((logfc)(log<7) 2 ) = 0((log<?) 3 ) time. (2) (3): Residuosity of a value in F* 

can be determined in sub-exponential time (see [23] for algorithms). (1) (4): 
Theorem 9. (4) (1): Theorem 8 allows calculation of 4>([k]P), 4>{[k + l]P), 

and 4>([k + 2]P) in sub-exponential time. 



References 

1. Shipsey, R.: Elliptic Divibility Sequences. PhD thesis, Goldsmiths, University of 
London (2001) 

2. Ward, M.: Memoir on elliptic divisibility sequences. Amer. J. Math. 70 (1948) 
31-74 



3. Swart, C: Elliptic curves and related sequences. PhD thesis, Royal Holloway and 
Bedford New College, University of London (2003) 

4. Ayad, M.: Periodicite (mod q) des suites elliptiques et points S'-entiers sur les 
courbes elliptiques. Ann. Inst. Fourier (Grenoble) 43(3) (1993) 585-618 

5. Silverman, J.H.: Common divisors of elliptic divisibility sequences over function 
fields. Manuscripta Math. 114(4) (2004) 431-446 

6. Silverman, J.H.: p-adic properties of division polynomials and elliptic divisibility 
sequences. Math. Ann. 332(2) (2005) 443-471 (Addendum 473-474) 

7. Everest, C, Mclaren, C, Ward, T.: Primitive divisors of elliptic divisibility se- 
quences. J. Number Theory 118(1) (2006) 71-89 

8. Stange, K.E.: Elliptic nets and elliptic curves, http://arxiv.org/abs/0710. 
1316vl, submitted (2007) 

9. Stange, K.E.: Elliptic nets and elliptic curves. PhD thesis, Brown University (May 
2008) 

10. Everest, C, Poorten, A.v.d., Shparlinski, I., Ward, T.: Elliptic Divisibility Se- 
quences. In: Recurrence Sequences. American Mathematical Society, Providence 
(2003) 163-175 

11. Stange, K.E.: The Tate pairing via elliptic nets. In: Pairing-Based Cryptography 
- PAIRING 2007. Volume 4575 of Lecture Notes in Comput. Sci. Springer, Berlin 
(2007) 329-348 

12. Gosper, R. W., O.H., Schroeppel, R.: Using somos sequences for cryptography 

13. Silverman, J.H.: The arithmetic of elliptic curves. Volume 106 of Graduate Texts 
in Mathematics. Springer- Verlag, New York (1992) Corrected reprint of the 1986 
original. 

14. Stange, K.E.: Elliptic nets, generalised Jacobians and bi-extensions. In preparation 

15. Frey, G., Lange, T.: Background on curves and Jacobians. In: Handbook of el- 
liptic and hyperelliptic curve cryptography. Discrete Math. Appl. (Boca Raton). 
Chapman & Hall/CRC, Boca Raton, FL (2006) 45-85 

16. Bach, E., Shallit, J.: Algorithmic number theory. Vol. 1. Foundations of Computing 
Series. MIT Press, Cambridge, MA (1996) Efficient algorithms. 

17. Duquesne, S., Frey, G.: Background on pairings. In: Handbook of elliptic and 
hyperelliptic curve cryptography. Discrete Math. Appl. (Boca Raton). Chapman 
& Hall/CRC, Boca Raton, FL (2006) 115-124 

18. Galbraith, S.D.: Pairings. In: Advances in elliptic curve cryptography. Volume 
317 of London Math. Soc. Lecture Note Ser. Cambridge Univ. Press, Cambridge 
(2005) 183-213 

19. Menezes, A. J., Okamoto, T., Vanstone, S.A.: Reducing elliptic curve logarithms to 
logarithms in a finite field. IEEE Trans. Inform. Theory 39(5) (1993) 1639-1646 

20. Frey, G., Ruck, H.G.: A remark concerning m-divisibility and the discrete loga- 
rithm in the divisor class group of curves. Math. Comp. 62(206) (1994) 865-874 

21. Crandall, R., Pomerance, C: Prime numbers. Springer- Verlag, New York (2001) 
A computational perspective. 

22. Kenny Fong, Darrel Hankerson, J.L., Menezes, A.: Field inversion and point halv- 
ing revisited. Technical Report, CORR 2003-18, Department of Combinatorics and 
Optimization, University of Waterloo, Canada (2003) 

23. Itoh, T., Tsujii, S.: An efficient algorithm for deciding quadratic residuosity in 
finite fields GF(p m ). Inform. Process. Lett. 30(3) (1989) 111-114 



